http://blog.kaspersky.com
The Official Blog from Kaspersky Lab covers information to help protect you against viruses, spyware, hackers, spam & other forms of malware.Fri, 09 Dec 2016 14:00:10 +0000en-UShourly1https://wordpress.org/?v=4.6.1http://blog.kaspersky.com/wp-content/themes/wt_metro/images/site-icon.pnghttp://blog.kaspersky.com
3232Mamba ransomware allows riders free entry to San Francisco Munihttp://blog.kaspersky.com/mamba-hddcryptor-ransomware/13539/
Thu, 01 Dec 2016 14:09:21 +0000https://kasperskycontenthub.com/global/?p=13539This past weekend, November 26 and 27, people traveling on the San Francisco Municipal Railway were surprised to find out that they didn’t have to pay for their rides. Everyone rode free both days. A socialist dream come true? Nope. The SF Municipal Railway, aka the Muni, lost the ability to sell tickets because it was attacked by ransomware.

Some media outlets claim that the problem manifested a few days earlier, just before Thanksgiving Day, when station ticket machines and schedule monitors started displaying a message saying “You Hacked” — as usual, ransomware announced itself with a lot of grammatical mistakes. It seems that the ransomware, called Mamba, which is a variant of HDDCryptor, knocked more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA) out of commission.

Mamba (and HDDLocker; let’s just consider them one and the same for the rest of this post) is a piece of ransomware that encrypts the whole hard drive and changes the master boot record (MBR) to prevent infected computers from loading their operating systems, displaying the malefactors’ message instead.

The creators of Mamba used open-source utilities as parts of the Trojan, and that, among other things, helped them create a strong algorithm. So there is no known way to get back files encrypted by Mamba without paying the criminals.

The Mamba perpetrators urged the SFMTA to contact them at cryptom27@yandex.com, and using this e-mail address, a journalist from the San Francisco Examiner was able to talk to the criminals, who introduced themselves as “Andy Saolis.” As Saolis’ story went, the attack on Muni was not a targeted one; the system got infected simply because someone with admin privileges downloaded an infected torrent file.

Saolis also told the Examiner that the SFMTA had to pay them 100 bitcoins (about $73,000) to get its computers back in operation. But it seems the SFMTA was able to deal with the problem without paying ransom; later on Sunday, the ticket machines were functioning again.

Kaspersky Lab’s antimalware researchers are keeping close track of the threat actor responsible for the attack. It seems that Mamba is typically used to attack businesses and organizations: The Muni attack is not the first notch on Mamba’s belt — and actually, 100 bitcoins is a rather small sum by these criminals’ standards. Usually they demand much more.

So, Mamba seems like a really nasty threat. What can you do protect yourself and your organization from it?

1. The SFMTA was able to get Muni up and running relatively quickly because it had backups. It’s worth mentioning that these backups were not on network shares; otherwise, Mamba would’ve encrypted them as well.

The lesson here: Be like the SFMTA and back up your data regularly. Keep the backups either in the cloud or on external hard drives, not on your computer or network-attached devices.

2. Be even smarter than the SFMTA and avoid getting infected by Mamba, or any other ransomwware, at all. Instead, use a good security solution. Kaspersky Internet Security detects Mamba (and HDDCryptor, and others like them) as HEUR:Trojan.Win32.Generic and doesn’t give them a chance to encrypt anything.

]]>Free your digital lifehttp://blog.kaspersky.com/free-your-digital-life/13533/
Wed, 30 Nov 2016 14:00:41 +0000https://kasperskycontenthub.com/global/?p=13533According to our recent survey, more than 70% of active Internet users have considered quitting their social networks, primarily, they say, because they waste too much time on them. I think it’s something more: that people feel they have become mere commodities to the digital corporations that not only feed them content, but also more and more often tell them what to do, what to buy, what to watch and listen to — and the list goes on.

Do we really own our digital lives? Many of you already know the bitter truth: We don’t.

The individual user of a digital device can do a bit to control their digital shadow — the data and metadata that is generated automatically about users as they visit websites. VPNs, anonymizers, and filtering can help shrink the shadow, but what about the more visible part of the digital life? The photos, videos, fleeting thoughts, and other things that we post on purpose and consider our own — our digital footprints — effectively belong to the IT corporations that run our social networks and multimedia hosting platforms.

That video you made yesterday with or for your friends or family? The moment you uploaded it, the hosting service (i.e., the site where you’re sharing it) gained effective ownership rights over it. Depending on the legislation of your country, you may be able to prohibit further sharing or demand the removal of your personal content, but you can never be perfectly sure that it has not been cached somewhere — that’s why I said “effectively” before “ownership rights” — no matter what the site’s terms and conditions may say.

Basically, what goes on the Internet stays there forever, regardless of your state of mind when posting or future ability to access your account. Someone hacked your account and changed your password? Sorry! Not having ownership over your digital creations or any right to gain ownership — I call that situation something akin to digital slavery.

Many people I know actually find it convenient. They like to live in a bubble of “tailored content,” “special offers,” and “enjoyable friend feeds.” But I also have many friends who would prefer to stop paying for that stuff by giving up their freedom to be irrational, inexplicable, unpredictable, and, most of all, invisible to digital tools. That’s my preference as well.

That said, let me ask you a question: When was the last time you sat with your closest friends or family, looking at photos together and enjoying the memories? It’s been a while, hasn’t it? We’ve become so addicted to social networks that when we get together, we no longer pore over photo albums — they don’t even exist anymore! Albums’ digital successors, photo frames, never took off; why bother when you can just post a picture on Instagram or Facebook?

So, instead of getting cozy with friends around a book of photos, we see people at the table with a fork in one hand and their phone in the other. Besides ruining the atmosphere of family dinners, our addiction to instant sharing has also externalized an important part of ourselves — and, as I mentioned earlier, given control over it to corporations. If I may wax philosophical for a moment, if we don’t have a tangible past, does that mean that we don’t have a future?

As it turns out, regaining ownership of digital memories is no easy feat. IT giants will do everything they can to keep you on the hook. And who has left digital footprints on only one service? Most people have scattered their memories through at least a few.

While working on the FFForget concept, which we plan to open to the public in 2017, we tested the APIs of four key social networks: Facebook, Twitter, Instagram, and Google+, and found out that it is possible (for now) for users to take their stuff back, making a copy of their digital moments from these networks and storing it safely in an impenetrable, encrypted vault. Once they have the personal content back, users can do whatever they want with it and with their accounts: another step toward independence from big IT corporations.

I firmly believe taking back personal digital content is a step toward a future in which the current model — digital slavery — is no longer valid. In this future, ownership rights will belong fully to the users, and users will be in full control of their content. That’s the kind of future I want to live in.

]]>NYC landmarks hacked, customer data leakedhttp://blog.kaspersky.com/nyc-credit-card-breach/13516/
Wed, 23 Nov 2016 17:42:50 +0000https://kasperskycontenthub.com/global/?p=13516New York City is one of those places that people from around the globe make a pilgrimage to see. During the holiday season, Radio City Music Hall and the tree at Rockefeller Center are traditions that many families do annually. Similarly, Madison Square Garden is a beacon for fans of sports and concerts.

Unfortunately, the popularity of some of these venues caught the eyes of some grinching hackers. Earlier this week, the owners of Madison Square Garden, Radio City Music Hall and the Beacon Theater announced that they were the victims of a data breach.

In response to the NY Daily News, the company said, “MSG recognizes the importance of protecting customer data and deeply regrets any inconvenience this incident may have caused its customers.”

Currently, the company has not identified the scope of this breach at this time. However, if you attended any events at these venues, you should keep an eye on your account statements and dispute any charges that you did not authorize.

“It’s great to see chipped credit cards and the necessary chip readers gain adoption as these sorts of fairly preventable schemes continue to be exposed. EMV is a real benefit to travelers, tourists, and folks looking for a good show without the risk of easy credit card fraud,” said Kurt Baumgartner, Principal Security Researcher, GReAT.

On the downside, even people with chipped cards need to review transactions in their accounts – unprotected, striped card readers were and are still in use.

Earlier this year, we blogged on how the transition to pin and chip cards in the US is leading to an increase in fraud. Unfortunately, this is something that consumers will have to deal with until the transition is complete.

So much like our tips for Black Friday shopping, we advise you to be vigilant in keeping your money safe and out of criminals’ hands.

]]>Trapped in social networkshttp://blog.kaspersky.com/social-attachment-survey/13450/
Tue, 15 Nov 2016 12:01:14 +0000https://kasperskycontenthub.com/global/?p=13450A recent survey of 4,831 active social network users, conducted by Kaspersky Lab in 12 countries, reveals that an overwhelming majority (78%) of respondents considered quitting their social networks — but chose to stay. They wanted to leave for a variety of reasons: 39% of users complained they were wasting too much time, the top response. The top reason not to quit was a desire to stay in touch with relatives and friends (62% of respondents).

In this post we present key survey results and their interpretations.

Key Findings

78% of active social networks users who responded to our survey said that they have been thinking of quitting social networks

Key reasons users consider quitting:

They are tired of wasting time — 39%

They don’t like being monitored by IT giants — 30%

Key considerations that prevent users from quitting: 62% want to stay in touch with friends and relatives

Users generally welcome the idea of a solution that could allow them to gain control over their digital moments (28%), but they want to see how convenient it is

The three most important features for such a service from users’ point of view:

Interpretation

Our first question was: “Have you ever considered quitting social networks?” The overwhelming majority (78%) admitted that they had. A small fraction of them (6% of all respondents) went even farther and said that they actually hate social networks. About 17% had never considered leaving their social networks. These results were pretty consistent for all of the countries in which we ran the survey: United States, Canada, United Kingdom, France, Germany, Italy, Spain, Turkey, Russia, Brazil, Mexico, and Japan.

So: Why would users consider quitting their social networks?

Figure 1. Reasons users have considered quitting social networks.

The top reason for quitting (39% of respondents) appears to be a growing feeling among users that they are wasting too much time on social networking sites. The second most popular reason overall (30% of respondents) was that they don’t want IT giants monitoring their every move online. However, the top two reasons were not uniform across the countries we surveyed. Countries including Italy and Germany flipped the top two, being more concerned about privacy than loafing, and users in Spain came close to rating IT giants’ monitoring their No. 1 reason to consider leaving social media. More detailed information on the number of respondents is reported below, in the “Methodology” section.

As we expected when we designed the survey, the most popular reason for staying was that they wanted to keep in touch with their friends and relatives (62% of respondents).

Figure 2. Reasons for not quitting social networks (multiple choice).

The second biggest reason named (21%) was that they want to share their digital memories online and feel that social networks are the best places to do that. One in six respondents (18%) said that they use social network accounts to log in to other Web services.

We also asked users if they would consider using a service that allows them to store their digital moments (conversations, videos, images, and other memories) in one place, offline or in the cloud. Such a service would give users the freedom to do what they want with their online accounts without losing access to their digital memories regardless of connectivity status or social network moderators’ mood — or even to quit social networks without losing a bit of their digital profile.

Figure 3. “If you could store the conversations, videos, images and other memories from the networks you use in one place, would you be interested?”

On the average, most users chose the option “I might, but it will depend on how convenient the tool will be” (28%). However, the second most favored option, “Sounds like a good idea to have my own backup” (22% on average) was slightly more favored in Brazil, Italy, and Spain. The option “It’s my digital life and I want to keep it for myself” was the third most important consideration (19%).

We then asked users about which features they would consider important in such a tool, and 50% of respondents named “Ability to limit the access to third-party applications and services to my digital memories” the most important. That wasn’t the case for all of the countries, though: respondents from Brazil voted more for the service to employ the best-in-class encryption for saved data — the second most preferred option (46% on average). In Russia, the most popular option was “Special tool for flexible arrangement of stored information” (No. 3 on average, chosen by 34% of respondents globally). Contrary to what we expected, only 27% of respondents selected the proposed automatic backup option.

Methodology

The survey period was seven weeks starting in the beginning of October and ending in the middle of November. The survey, containing eight questions, was translated into nine languages: English, Spanish, Portuguese, French, Italian, German, Russian, Japanese, and Turkish, and programmed using Poll Daddy. We disseminated the link to the survey using paid Facebook and Twitter promotions in North America (US and Canada, EN(NA) on the graph below), the United Kingdom (UK), Spain (ES), Mexico (MX), Brazil(BR), France(FR), Italy(IT), Germany(DE), Russia (RU) and Japan (JP). Turkish (TR) version of the survey was not promoted as long as the others, and the number of respondents for Turkey is close to the organic reach.

Questions “What prevents you from quitting [social networks]?” and “Which premium features [of the service] you might be interested?”, the responses to which are presented in figures 2 and 4, respectively, allowed for multiple choice.

In general, the age distribution of respondents in most of the countries follows the reference age distribution of Facebook users, which indicates an accurate representation of the population for Brazil and Russia, given the total amount of responses we received. However, countries such as Italy, Germany, the United States, and Canada had a much higher proportion of older respondents than Facebook does.

The gender distribution of respondents also was far from even, with 68% male and only 29% female (3% chose neither or preferred not to disclose) on average across all geographies. The only country with minimal gender disparity of respondents was Russia (51% male, 47% female, 2% undisclosed), and Brazil’s respondents were the most disparate (92% male, 7% female).

Finally, we did not fail to notice the significant proportion of “Other” responses to both the question about reasons for considering quitting and the question about reasons keeping users from quitting. That leaves room for in-depth research on this phenomena, which is in process — stay tuned!

]]>The Crysis crisis is now overhttp://blog.kaspersky.com/crysis-decrypted/13439/
Mon, 14 Nov 2016 18:02:34 +0000https://kasperskycontenthub.com/global/?p=13439In February 2016, another new strain of ransomware hit the scene, its name akin to what many victims feel when they are hit with ransomware – Crysis.

Over the past nine months, this strain of ransomware attacked 1.15% of Internet users (Kaspersky Lab Data). The majority of victims are located in Russia, Japan, South Korea, and Brazil. The ransomware also took ninth position in the top 10 ransomware rankings for 2016.

Well, for those victims, today is a day to rejoice. Earlier in the day, a set of encryption keys for the Crysis Trojan was released to the public. Immediately after receiving the keys, our experts created a decryption tool.

“Once again, we are happy to announce that one more ransomware threat has been decrypted. Kaspersky Lab’s free Crysis decryption tool is available for download at NoMoreRansom.org,” notes Anton Ivanov, senior malware analyst at Kaspersky Lab.

]]>13 countries join our ransomware fighting projecthttp://blog.kaspersky.com/nomoreransom-goes-global/13254/
Mon, 17 Oct 2016 10:00:40 +0000https://kasperskycontenthub.com/global/?p=13254Kaspersky Lab not only develops security solutions but also helps to catch criminals and creates free decryption tools for ransomware victims. The utilities can be downloaded from the No More Ransom site.

Today we provide an update on the project’s progress and talk about what we have already achieved.

The Dutch National Police, Europol, Intel Security and Kaspersky Lab launched the No More Ransom project on July 25, 2016. In the project’s first three months, 2,500 people successfully decrypted their files with our decryptors instead of paying ransom to criminals. Taking into account the average price criminals ask as a ransom, we estimate the No More Ransom project has already helped people to save more than $1 million.

That’s good news, but we still consider the victory small. Cybercriminals are on the watch, so we must stay alert as well. The more different organizations join the project the more effective our fight will be — and the more decryptors we’ll make. Each decryptor is a sort of superweapon that aims right at the malefactors’ sore spot — their wallets.

And so we are very pleased to report that law enforcement agencies from 13 more countries now support our initiative: The No More Ransom Project has new allies in Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland, and the United Kingdom.

In addition, Eurojust and the European Commission support the project’s objectives. Moreover, in the next few months more law enforcement agencies and security companies from several countries are going to join the project.

One more piece of good news: Today, the No More Ransom site exists in English only, but soon we will translate it into several other languages. As a result, ransomware victims from all over the world will receive the help they need quicker and easier, in their native language.

Jornt van der Wiel, a security researcher on our Global Research and Analysis Team, thinks that fight against ransomware succeeds best when law enforcement agencies and corporate sector join forces.

“Researchers can offer broader malware analysis and services like Internet scanning, helping to find connections between different items of data,” Jornt explains. “This enables the police to locate and seize the servers used to manage the attack. In some cases, the researchers’ insight can also help police to track down and arrest the criminals responsible. The seized servers can contain decryption keys, and, when shared with private sector companies, this can be turned into decryption tools that help victims to unlock their data without paying the ransom.”

The growing threat of ransomware concerns the whole world. And the rates of this rise are tremendous: The number of ransomware attacks increased more than fivefold from 2014–2015 and 2015–2016. However, we hope that we can mitigate future damage.

There is another very effective weapon against ransomware: knowledge. Everybody can learn about this threat and ways to protect themselves, and thereby greatly contribute to the fight against ransomware. And it’s much easier to prevent infection than to recover data after an incident has already occurred, so we kindly ask all of our readers to get acquainted with and follow these tips — stay safe!

]]>Simply the best!http://blog.kaspersky.com/effitas-certification/13213/
Tue, 11 Oct 2016 13:00:43 +0000https://kasperskycontenthub.com/global/?p=13213With lots of the things you buy, it’s easy enough to make an informed decision: read up on car specs, check a banana’s ripeness, try on a jacket. With security software, you can’t know much — until something goes horribly wrong. Sure, we can tell you Kaspersky Lab’s security software is great, and we test it over and over again (we do!), but hey, we’re biased. You have to figure all companies are biased in favor of their own products, and that’s why independent testing entities are critically important to informed consumers. They have no horse in the race, and they take pains to make their testing methodologies fair and transparent.

Independent testers may test a product at the behest of a company, but the clearest value for consumers comes from independent competitive testing: a group of products performing the same tests to see where each ranks. That is why for the sake of our users, we are very pleased to announce that in a recent assessment of 16 security solutions by independent testing agency MRG Effitas, Kaspersky Internet Security received the sole Level 1 certification of the bunch.

For MRG Effitas’ 360 Degree Assessment & Certification for Q2 2016, the agency evaluated security solutions on their ability to protect endpoints from a live infection, as well as to detect and remediate in case of infection.

The tests are designed for realism, for example attempting malware infections through a browser or USB drive. Malware types include Trojans, backdoors, ransomware, potentially unwanted applications, financial malware and “other” — in total, 399 in-the-wild samples. And speed matters.

The time components of the testing — detection and remediation — set each product to scan every 30 minutes over a 24-hour period. To attain Level 1 certification, a product had to detect and block every threat either immediately on exposure (including behavior protection), or within the 24-hour window. Kaspersky Internet Security was the only product to meet that challenge.

The Level 2 certification requires detection and disinfection of at least 97% of the test malware cases within 24 hours; only four solutions achieved that level. The other 11 products failed the certification testing.

Commenting on that, Timur Biyachuev, director of antimalware research at Kaspersky Lab, said: “At Kaspersky Lab, we know how important it is for our users to be able to protect what matters most to them, whether that’s protecting their data from ransomware, or their money from banking Trojans. This is why we work so hard to develop the best possible security solutions for our users, and we are proud that Kaspersky Internet Security has been awarded yet another independent commendation. This test is not the first time our work has been acclaimed — our products were awarded 60 first places in independent tests and reviews last year. These awards reflect our devotion to making the Internet a better, and safer place for everyone.”

]]>Did Spotify serve you malware?http://blog.kaspersky.com/spotify-malware/13184/
Thu, 06 Oct 2016 16:11:48 +0000https://kasperskycontenthub.com/global/?p=13184Over the past few days, there has been some chatter surrounding Spotify based on a user’s post in the company’s community forum:

There’s something pretty alarming going on right now with Spotify Free. This started several hours ago. If you have Spotify Free open, it will launch — and keep on launching — the default internet browser on the computer to different kinds of malware / virus sites. Some of them do not even require user action to be able to cause harm.

I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify — I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it — fast. But it’s still puzzling something like this can actually happen.

Unfortunately, this was not an isolated incident; it appears the free version of Spotify was sending some questionable browser ads. The company noted in response to the user’s post:

We’ve identified an issue where a small number of users were experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier. We have now identified the source of the problem and have shut it down. We will continue to monitor the situation. If you see this issue again, please let us know the exact date and time in this thread.

The problem seems to have been fixed now. By the way, some time ago a user mentioned to us on Twitter that he was having similar issue with Spotify, also commenting that his Kaspersky product had saved him from the malware.

Dear @Spotify. Thank you for allowing malicious links inside ads. If it weren't for @kaspersky I'd be fucked now. Fix it would ya!!?

We’re glad for this user, but we also feel for those who had an unpleasant browsing experience when they were just looking to enjoy some music. This sort of problem is one of many great reasons to have reliable antivirus software. We would recommend looking at Kaspersky Internet Security — the first 30 days are free.

]]>Can you keep a secret? Facebook brings encrypted secret conversations to Messengerhttp://blog.kaspersky.com/encrypted-facebook-messenger/13167/
Thu, 06 Oct 2016 13:51:39 +0000https://kasperskycontenthub.com/global/?p=13167Do you like privacy? Well, let me introduce you to a new player in the encrypted messaging game: Secret Conversations. It comes from a messaging service many are already using, Facebook Messenger.

The service is currently available to all users of Messenger on Android and iOS, and it provides optional end-to-end encryption for users. Secret Conversations are available only for one-to-one conversations and will not tie into past chats with a user — meaning that if you were talking with a coworker via Messenger for months, the new secret message would not retrofit the past conversation into a private encrypted thread; instead it would begin a new and separate conversation. Users can also pull an Inspector Gadget and have messages self-destruct in as little as 5 seconds.

Unfortunately for people who are not using Messenger, Facebook does not have the infrastructure in place to manage encryption keys to desktops. While some will decry Secret Conversations as just another Snapchat clone or way around the data sharing of Whatsapp, it could also be seen as a way to introduce another level of privacy to the billion-plus users of Facebook Messenger who may not be into using apps like Signal, Threema, or Telegram.

How do I get started?

To get started, you will need to open up Facebook Messenger on your mobile device. For purposes of writing these instructions and taking the screenshots, we used an Android device, but the process is similar in iOS.

1. Click the person icon in the top right. On the resulting screen you will scroll down to Secret Conversations.

2.Turn on Secret Conversations. Agree by selecting OK. Note: You can always turn the feature off again by moving the toggle.

3. Start a conversation. As with to any Facebook message, start by clicking on the blue “+” button.

4. Go private. Before you select a friend to have a conversation with, pull the bubble in the top right to the right. Doing so will turn your screen private and make the messages part of a new Secret Conversation.

Now, you may hit a snag at some point in the process. If you try encrypted communication with someone who is not on Facebook Messenger, for example, you will get an error message in the chat.

When the conversation is working properly, you will see the chat go through.

As you can tell, we were excited to try this out with teammates around the globe.

While testing it out, we confirmed not only that we could not access the encrypted messages from our desktops, but also that if you set a message to expire it gets pretty fuzzy.

Finally, for those of you wondering: Yes, Secret Messages do support stickers…you know, for those times when words will not do.

As the parents of relatively young children, my wife and I have used local yard sale groups on Facebook extensively to sell items the kids have outgrown as well as buy items that we really did not want to buy brand new. To us it was like mixing the value of eBay with the convenience of not having to wait for things to come in the mail — not to mention, no shipping charges.

If Marketplace improves or streamlines the process of buying and selling through those local groups, that sounds great. With that said, using Marketplace means buying something from a stranger online and meeting in person to exchange currency for goods. Marketplace is merely the forum for finding each other, as noted in Facebook’s press materials:

Decided that you want it? Send the seller a direct message from Marketplace to tell them you’re interested and make an offer. From that point on, you and the seller can work out the details in any way you choose. Facebook does not facilitate the payment or delivery of items in Marketplace.

Whenever I purchased or sold something through a Facebook group, setting up the meetings was the worst part. I often opted to pick up an item from someone’s doorstep or porch and leaving money in a mailbox rather than having a face-to-face interaction. Maybe I am paranoid, but those in-person interactions never sat well with me.

As a seller, using the honor system worried me some, but I was typically selling something we had considered outright throwing away, so the risk was worth the reward.

In looking into security aspect of Marketplace, I dropped a line to David Emm, a principal security researcher and member of Kaspersky Lab’s GReAT. He noted that, “the fact that it’s linked to a Facebook profile isn’t really a protection, since it’s possible to hijack accounts or create fake profiles. At the moment, Facebook is keeping out of the transaction — it’s a way of them trying to engage ‘customers.’ But in the future, if they commercialize it (ads), it’s possible that this might lead them to regulate transactions, including payments. People should exercise caution about meeting and making payments to strangers.”

It’s a bit early to say, but overall, Marketplace seems to be a positive addition to Facebook’s platform. Anyone can use it, and it can be an easy way to obtain or offload items while using a platform that is already a part of most Internet users’ daily lives.

However, with that said, a level of common sense really is critical. The following are three best practices for using Marketplace (or, for that matter, other person-to-person goods sites such as Upcycle, Craigslist, Freecycle).

Choose a safe meeting spot

It’s worth repeating: You are buying items from, or selling to, someone you do not know. When arranging for an exchange, try to pick a place that is public. If that is not possible, do your best to mitigate potential risks. For example, take a friend with you, or tell someone where you are going.

Emm added, “It also presents the risk of face-to-face meetings in local areas, which has the potential to be taken advantage of by criminals.”

So if you feel that you are entering a sketchy situation, just walk away. You can always tell the seller something came up and reschedule.

Do a gut check — is it legal? Legally obtained?

If you saw someone selling a 2017 Ferrari for $1,000, you would assume that car was stolen. The same can be said for a too-good-to-be-true $100 MacBook or $50 Rolex. If the deal sounds too good to be true, the item is most likely fake or stolen, and you should walk away.

Also think twice before buying something illegal, should it find its way into the Marketplace. For example, if you decide to peruse Marketplace looking for guns, narcotics or other illicit items, consider that as a public forum, Facebook Marketplace can be viewed by law enforcement officials.

Use common sense

Ultimately, perhaps the most important safety equipment you can bring to the Marketplace is your own common sense. Whether you are buying or selling, weigh the risk against the reward for each potential transaction. By bringing these sales into Facebook, you gain a measure of convenience but give up some of your privacy by putting out identifiable data.

Currently, Facebook Marketplace is brand spanking new. I for one am excited to see its evolution. Emm notes that he sees some type of regulation on the part of Facebook in the Marketplace’s future: “If I buy through the Amazon Marketplace, I’m offered the same protections as when I buy through Amazon, or another store — buyers and sellers don’t see each other’s details; the buyer doesn’t pay the seller directly; and if anything goes wrong, Amazon acts as guarantor. In the end, I think Facebook will be obliged to regulate the marketplace to one degree or another.”